msg_goodpass and msg_badpass conditional

Munroe Sollog mus3 at
Fri Sep 30 18:44:42 UTC 2022

I had a desire to log additional information about authentications to help
enrich our logging analysis.  The best idea I came up with at the time was
to customize msg_goodpass and msg_badpass in the log{} section of the
radius.conf.  This worked as expected, however, now I find myself wanting
to customize these messages based on unlang attributes.  Specifically, I
log something like:

msg_goodpass = "AP-location: %{Aruba-Location-Id}, Device:
%{Aruba-Device-Type}, SSID: %{Aruba-Essid-Name}, Group: %{Aruba-AP-Group}”

This makes perfect sense and really helps the support staff to troubleshoot
user issues.  However, this log line will also log when a VPN user
successfully authenticates, and as such, makes no sense.  Any ideas or
suggestions for a more flexible way of customizing logging data would be

Munroe Sollog (He/Him/His)
Network Architect
munroe at

More information about the Freeradius-Users mailing list